From 94e1bacd166075d5472aa5792136664378cf24c7 Mon Sep 17 00:00:00 2001 From: Harshavardhana Date: Wed, 14 Apr 2021 22:35:42 -0700 Subject: [PATCH] STS call should be rejected for missing policies (#12056) fixes #12055 --- cmd/iam.go | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/cmd/iam.go b/cmd/iam.go index 0c0680f85..5a663d7c4 100644 --- a/cmd/iam.go +++ b/cmd/iam.go @@ -840,40 +840,31 @@ func (sys *IAMSys) SetTempUser(accessKey string, cred auth.Credentials, policyNa return errServerNotInitialized } - sys.store.lock() - defer sys.store.unlock() - ttl := int64(cred.Expiration.Sub(UTCNow()).Seconds()) // If OPA is not set we honor any policy claims for this // temporary user which match with pre-configured canned // policies for this server. if globalPolicyOPA == nil && policyName != "" { - var availablePolicies []iampolicy.Policy mp := newMappedPolicy(policyName) - for _, policy := range mp.toSlice() { - p, found := sys.iamPolicyDocsMap[policy] - if found { - availablePolicies = append(availablePolicies, p) - } - } - - combinedPolicy := availablePolicies[0] - for i := 1; i < len(availablePolicies); i++ { - combinedPolicy.Statements = append(combinedPolicy.Statements, - availablePolicies[i].Statements...) - } + combinedPolicy := sys.GetCombinedPolicy(mp.toSlice()...) if combinedPolicy.IsEmpty() { - delete(sys.iamUserPolicyMap, accessKey) - return nil + return fmt.Errorf("specified policy %s, not found %w", policyName, errNoSuchPolicy) } + sys.store.lock() + defer sys.store.unlock() + if err := sys.store.saveMappedPolicy(context.Background(), accessKey, stsUser, false, mp, options{ttl: ttl}); err != nil { + sys.store.unlock() return err } sys.iamUserPolicyMap[accessKey] = mp + } else { + sys.store.lock() + defer sys.store.unlock() } u := newUserIdentity(cred)